Upload
manaf-hasibuan
View
18
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Sophos - Protect Internal Email Server
Citation preview
September 2015 Page 1 of 17
Workflow Guide Protect Internal Email Server For Customers with Sophos Firewall
Document Date: September 2015
Protect Internal Email Server
September 2015 Page 2 of 17
Contents
Scenario ........................................................................................................................................................ 3
Prerequisites ................................................................................................................................................. 4
Configuration ................................................................................................................................................ 5
Test Configuration ...................................................................................................................................... 17
Protect Internal Email Server
September 2015 Page 3 of 17
Scenario
Configure Sophos Firewall (SF) to route Emails from the Internet to an Internal Email server and set Anti-virus, RBL, IP Reputation, Anti-spam and DLP scanning policies for the Email traffic.
Consider the hypothetical network example as shown in the below network diagram, where SF is placed at the gateway and an Email server with domain as mycompany.com and with IP Address 192.168.0.2 is hosted in DMZ. Follow the below given configuration steps to scan email traffic destined for the internal Email server:
1. Create Business Application Policy to Route Internet Emails to Internal Email Server.
2. Create Network Policy to allow all traffic to and from Protected Network.
3. Configure Global Email Settings – Settings may include configuring file size restriction for scanning, action to be taken for oversized mail, IP Reputation, bypass scanning of mails from authenticated connections.
4. Create Malware Scanning Rule – Rule may include configuration to block attachment of specific File Type based on MIME Whitelist, whether to quarantine mail, and how to deliver mail to the recipient if malware is identified.
5. Create Content Scanning Rules.
Protect Internal Email Server
September 2015 Page 4 of 17
Prerequisites
Email Protection Module should be subscribed and activated. Check subscription status from System > Maintenance > Licensing.
Interfaces connected to WAN (Internet) and DMZ (containing Email Server) zones should be plugged in and connected, as shown in example below. Check from System > Network > Interfaces.
Protect Internal Email Server
September 2015 Page 5 of 17
Configuration
You must be logged on to the Admin Console using Device Access Profile which has read/write administrative rights over relevant features.
Step 1: Create Business Application Policy to Route Internet Emails to Internal Email Server
Go to Policies page and click +Add New Rule followed by Business Application Rule. Create policy as per parameters give below.
Parameters Value Description
About This Rule
Template EmailServer(SMTP) Select EmailServer(SMTP) template to define business application rule for internal Email Server.
Rule Name ProtectEmailServer Specify a name to identify the business application rule.
Source
Host Any Select the source host from which SF would accept traffic. In this example, SF would accept traffic from all hosts.
Hosted Server
Source Zone WAN Click to select Source Zone from which SF would accept traffic. In this example, SF would accept traffic from WAN Zone.
Hosted Address #PortE1-203.88.135.46 Specify the public IP address of the Email Server. Here, the Email Server is mapped with the IP address of SF WAN Interface.
Scan SMTP/SMTPS Enable Click the switch to Enable/Disable scanning of SMTP and SMTPS.
Protected Application Server
Protected Zone DMZ Select the zone in which Email Server is placed.
Protected Application Server(s)
InternalMailServer-192.168.0.2 Specify the internal IP address of the Email Server.
Forward all ports Disable Click to enable/disable the service of port forwarding. When enabled, all ports are forwarded.
Port Forwarding
Protocol TCP Select the protocol TCP or UDP that you want the forwarded packets to use.
External Port Type Port List Select the type of external port from the available options. Here, we select Port List.
External Port 25, 587, 465 Specify standard ports for SMTP and SMTPS to ensure port forwarding.
Parameters Value Description
Protect Internal Email Server
September 2015 Page 6 of 17
Note: EmailServer(SMTP) applies only to SMTP/S traffic. To enable scanning of POP/S-IMAP/S traffic, use application template EmailClients(POP & IMAP).
Mapped Port Type Port List Select the type of mapped port from the available options. Here, we select Port List.
Mapped Port 25, 587, 465 Specify standard ports for SMTP and SMTPS to ensure port forwarding.
Reflexive Rule
Create Reflexive Rule
Enable Enable to automatically create a reflexive rule. This ensures that the Email traffic originating from the protected Email Server is also scanned.
Reflexive rule has the same policies as those configured for the hosted server but instead of source zone to destination zone, this rule is applicable on traffic from destination zone to source zone.
By default, the reflexive rule is not created.
Protect Internal Email Server
September 2015 Page 7 of 17
Protect Internal Email Server
September 2015 Page 8 of 17
Protect Internal Email Server
September 2015 Page 9 of 17
Step 2: Create Network Policy to allow all traffic to and from Protected Network (DMZ)
Create Network policies to allow traffic, other than Email traffic, to and from the protected network. In other words, create rules to allow traffic DMZ-WAN and WAN-DMZ traffic. Here, we have created the DMZ-WAN rule. You can create the WAN-DMZ rule in similar manner.
Go to Policies page and click +Add New Rule followed by User/Network Rule. Create policy as per parameters given below.
Parameters Value Description
About This Rule
Rule Position Bottom Specify position of the rule.
Rule Name DMZ_WAN_Allow_
Other_Traffic Specify a name to identify the rule.
Source
Zone DMZ Select the source zone(s) of the network traffic.
Destination
Zone WAN Select the destination zone(s) of the network traffic.
Action
Action Accept Specify action for the rule traffic from the available options.
Accept – Allow access
Drop – Silently discard Reject – Deny access (“ICMP port unreachable” message is sent to the source).
Protect Internal Email Server
September 2015 Page 10 of 17
Protect Internal Email Server
September 2015 Page 11 of 17
Step 3: Configure Global Email Settings
Go to Protection > Email Protection > Configuration and configure the required global settings to be applied on Email traffic.
Example:
1. Enable IP Reputation.
2. Set email size restriction for scanning to 2 MB (2048 KB).
Protect Internal Email Server
September 2015 Page 12 of 17
Protect Internal Email Server
September 2015 Page 13 of 17
Step 4: Create Malware Scanning Rule
Go to Protection > Email Protection > Scanning Rules and click Add under Malware Scanning Rules.
Example:
1. Block all executable files.
2. Enable Dual Anti-Virus scanning.
Parameters Value Description
Name BlockExecutable Enter a unique name to identify the scanning rule.
Sender Any Select the sender name from the list of users.
Select Any if the rule is to be applied on all the senders.
You can also add a new Email address by clicking Create New link.
Recipient mycompany.com Select the recipient name from the list of users.
Select Any if the rule is to be applied on all the recipients.
You can also add a new Email Address by clicking Create New link.
Block File Types Executable Files Select file types to be blocked as an attachment to remove all the files that are a potential threat and to prevent virus attacks.
Scanning Dual Anti-Virus Specify the type of scanning to be applied.
Here, Traffic will be scanned by both Anti-Virus Engines.
Action Quarantine Quarantine infected Emails. Quarantined Emails can be viewed from System > Email > Malware Quarantine.
Delivery Options
Recipient Infected Attachment: Don’t Deliver
Protected Attachment: Deliver Original
Select the action to be taken on the message that is detected to be Infected or includes a Protected Attachment.
Administrator Infected Attachment: Remove Attachment
Protected Attachment: Send Original
Select the action to notify the Administrator for the message detected to be Infected or includes a Protected Attachment.
Protect Internal Email Server
September 2015 Page 14 of 17
Click Save to create the rule.
Step 5: Create Content Scanning Rules
You can create a number of Content Scanning Rules to define the actions that SF should take if an Email is detected as Spam. Ideally, you will have to create all the rules mentioned in the below table to protect your network against any Spam from your Email Server. Content Scanning Rules are processed from the top down and the first suitable rule found is applied. Hence, while adding multiple rules, it is necessary to put specific rules before the general rules.
Note: Since we have created Business Application Rule with template “EmailServer(SMTP)”, only SMTP/S traffic will be scanned via Content Scanning Rules.
Protect Internal Email Server
September 2015 Page 15 of 17
Note: Since we have created Business Application Rule with template “EmailServer(SMTP)”, only SMTP/S traffic will be scanned via Content Scanning Rules.
Rule Purpose
inbound_rule1
Drops Emails destined to mycompany.com detected as SPAM over SMTP/S
Adds prefix “POPIMAPSpam:” to subject in Emails destined to mycompany.com detected as SPAM over POP/S-IMAP/S.
inbound_rule2
Drops Emails destined to mycompany.com detected as Virus Outbreak over SMTP/S.
Adds prefix “POPIMAPVirusOutbreak:” to subject in Emails destined to mycompany.com detected as Virus Outbreak over POP/S-IMAP/S.
inbound_rule3 Adds prefix “Spam(RBL):” to subject in Emails destined to mycompany.com that are detected as Spam by configured RBL(s).
DOMAIN_ACCEPT_inbound Accept all Emails destined to mycompany.com.
outbound_rule1 Drops all Emails originating from mycompany.com detected as SPAM.
outbound_rule2 Drops all Emails originating from mycompany.com with content matching configured Data Protection Policy.
OUTBOUND_ACCEPT_Rule Accept all Emails originating from mycompany.com.
No Open Relay Drop All Emails over SMTP/S. This rule is necessary to protect the Email Server from being used as an open relay.
Protect Internal Email Server
September 2015 Page 16 of 17
. 3Example: Create inbound_rule1 to:
1. Drop Emails destined to mycompany.com detected as SPAM over SMTP/S.
2. Add prefix “POPIMAPSpam:” to subject in Emails destined to mycompany.com detected as SPAM over POP/S-IMAP/S.
Go to System > Email > Scanning Rules and click Add under Content Scanning Rules. Create rule as shown below.
Click Save to create the rule.
Protect Internal Email Server
September 2015 Page 17 of 17
Test Configuration
You can check how Emails sent to and from the Email Server are accepted or dropped from the Log Viewer. Access it from System > Diagnostics > Log Viewer.